Splunk Search

how to compare same search for two different time range

aravindhan87
New Member

Hi,

I want to compare same uri_stems for different time frame . This is the query I am using but getting error as "Unknown Search command 'index'".

Query:

index="iis" host=server* earliest=$Series1.earliest$ latest=$Series1.latest$ | rex field=cs_uri_stem "[^.](?P<Extension>.)" | where (Extension="" OR Extension=".aspx" OR Extension=".axd" OR Extension=".asmx") | eval cs_uri_stem=lower(cs_uri_stem) | eval cs_host=Addition+cs_host | lookup PageMapping URL as cs_uri_stem, Method as cs_method,Application as cs_host output PageGroup as PageGroup,Critical as Critical TestedLoad as TestedLoad | where Critical=1 | stats avg(time_taken) as Pre_AverageResponseTime,perc90(time_taken) as Pre_90ResponseTime,perc75(time_taken) as Pre_75ResponseTime,count as Pre_TotalHits,max(TestedLoad) as Pre_TestedinLab by PageGroup,cs_host | eval Load%ToTestedInLabA=tostring(round(TotalHits*100/TestedinLab,2))+"%" | fields PageGroup,cs_host,Pre_AverageResponseTime,Pre_90ResponseTime,Pre_75ResponseTime,Pre_TotalHits | sort -cs_host | join type=outer cs_uri_stem [index="iis" host=server* earliest=$Series2.earliest$ latest=$Series2.latest$ | rex field=cs_uri_stem "[^.](?P<Extension>.)" | where (Extension="" OR Extension=".aspx" OR Extension=".axd" OR Extension=".asmx") | eval cs_uri_stem=lower(cs_uri_stem) | eval cs_host=Addition+cs_host | lookup PageMapping URL as cs_uri_stem, Method as cs_method,Application as cs_host output PageGroup as PageGroup,Critical as Critical TestedLoad as TestedLoad | where Critical=1 | stats avg(time_taken) as Pre_AverageResponseTime,perc90(time_taken) as Pre_90ResponseTime,perc75(time_taken) as Pre_75ResponseTime,count as Pre_TotalHits,max(TestedLoad) as Pre_TestedinLab by PageGroup,cs_host | eval Load%ToTestedInLabA=tostring(round(TotalHits*100/TestedinLab,2))+"%" | fields PageGroup,cs_host,Pre_AverageResponseTime,Pre_90ResponseTime,Pre_75ResponseTime,Pre_TotalHits | sort -cs_host]

Tags (2)
0 Karma
1 Solution

ramdaspr
Contributor

You subsearch needs to start with [search index="iis" ....

View solution in original post

ramdaspr
Contributor

You subsearch needs to start with [search index="iis" ....

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...